-{ pkgs, lib, config, inputs, hosts, hostName, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, info, ... }:
let
domain = "autogeree.net";
- domainID = lib.replaceStrings ["."] ["_"] domain;
+ domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
inherit (config.users) groups;
in
{
-networking.nftables.ruleset = ''
- table inet filter {
- # ACME DNS-01 challenge and Gandi DNS
- set output-net-lego-ipv4 {
- type ipv4_addr
- elements = {
- ${hosts.mermet._module.args.ipv4},
- 217.70.177.40
+ networking.nftables.ruleset = ''
+ table inet filter {
+ # ACME DNS-01 challenge and Gandi DNS
+ set output-net-lego-ipv4 {
+ type ipv4_addr
+ elements = {
+ ${hosts.mermet._module.args.ipv4},
+ ${info.gandi.dns.secondary.ns.ipv4}
+ }
}
- }
- set output-net-lego-ipv6 {
- type ipv6_addr
- elements = {
- 2001:4b98:d:1::40
+ set output-net-lego-ipv6 {
+ type ipv6_addr
+ elements = {
+ ${info.gandi.dns.secondary.ns.ipv6}
+ }
}
}
- }
-'';
-security.acme.certs."${domain}" = {
- email = "root+letsencrypt@${domain}";
- extraDomainNames = [
- "*.${domain}"
- ];
- group = groups.acme.name;
- keyType = "rsa4096";
- dnsProvider = "rfc2136";
- # ns6.gandi.net takes roughly 5min to update
- # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
- #dnsPropagationCheck = false;
- credentialsFile = "/dev/null";
- validMinDays = 10;
-};
-systemd.services."acme-${domain}" = {
- serviceConfig.LoadCredentialEncrypted =
- [ "${domain}.tsig:${inputs.self}/hosts/${hostName}/acme/${domain}.tsig.cred" ];
- environment = {
- RFC2136_TSIG_SECRET = "%d/${domain}.tsig";
- RFC2136_NAMESERVER = "ns.${domain}:53";
- RFC2136_TSIG_ALGORITHM = "hmac-sha256.";
- RFC2136_TSIG_KEY = "acme_${domainID}";
- RFC2136_PROPAGATION_TIMEOUT = "1000";
- RFC2136_POLLING_INTERVAL = "30";
- RFC2136_SEQUENCE_INTERVAL = "30";
- RFC2136_DNS_TIMEOUT = "1000";
- RFC2136_TTL = "1";
+ '';
+ security.acme.certs."${domain}" = {
+ email = "root+letsencrypt@${domain}";
+ extraDomainNames = [
+ "*.${domain}"
+ ];
+ group = groups.acme.name;
+ keyType = "rsa4096";
+ dnsProvider = "rfc2136";
+ # ns6.gandi.net takes roughly 5min to update
+ # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
+ #dnsPropagationCheck = false;
+ credentialsFile = pkgs.writeText "acme-credentials-${domain}" ''
+ RFC2136_NAMESERVER=ns.${domain}:53
+ RFC2136_TSIG_ALGORITHM=hmac-sha256.
+ RFC2136_TSIG_KEY=acme_${domainID}
+ RFC2136_PROPAGATION_TIMEOUT=1000
+ RFC2136_POLLING_INTERVAL=30
+ RFC2136_SEQUENCE_INTERVAL=30
+ RFC2136_DNS_TIMEOUT=1000
+ RFC2136_TTL=1
+ '';
+ };
+ systemd.services."acme-${domain}" = {
+ serviceConfig.LoadCredentialEncrypted = [
+ "${domain}.tsig:${./. + "/${domain}.tsig.cred"}"
+ ];
+ environment.RFC2136_TSIG_SECRET_FILE = "%d/${domain}.tsig";
+ after = [ "unbound.service" ];
};
- after = [ "unbound.service" ];
-};
}